axibase/atsd-jdbc:pom.xml

Vulnerabilities

2 via 5 paths

Dependencies

12

Source

GitHub

Commit

7c3ce038

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
  • 1
Status
  • 2
  • 0
  • 0

high severity

Man-in-the-Middle (MitM)

  • Vulnerable module: org.apache.calcite:calcite-core
  • Introduced through: org.apache.calcite:calcite-core@1.13.0

Detailed paths

  • Introduced through: axibase/atsd-jdbc@axibase/atsd-jdbc#7c3ce038685e737a45bef23d0e0d8c3a10235c75 org.apache.calcite:calcite-core@1.13.0
    Remediation: Upgrade to org.apache.calcite:calcite-core@1.26.0.

Overview

org.apache.calcite:calcite-core is a Core Calcite APIs and engine.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). The HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses this method internally to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters.

The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications.

Remediation

Upgrade org.apache.calcite:calcite-core to version 1.26 or higher.

References

medium severity

Information Disclosure

  • Vulnerable module: com.google.guava:guava
  • Introduced through: com.google.guava:guava@25.1-android, org.apache.calcite:calcite-linq4j@1.13.0 and others

Detailed paths

  • Introduced through: axibase/atsd-jdbc@axibase/atsd-jdbc#7c3ce038685e737a45bef23d0e0d8c3a10235c75 com.google.guava:guava@25.1-android
    Remediation: Upgrade to com.google.guava:guava@30.0-android.
  • Introduced through: axibase/atsd-jdbc@axibase/atsd-jdbc#7c3ce038685e737a45bef23d0e0d8c3a10235c75 org.apache.calcite:calcite-linq4j@1.13.0 com.google.guava:guava@25.1-android
  • Introduced through: axibase/atsd-jdbc@axibase/atsd-jdbc#7c3ce038685e737a45bef23d0e0d8c3a10235c75 org.apache.calcite:calcite-core@1.13.0 com.google.guava:guava@25.1-android
  • Introduced through: axibase/atsd-jdbc@axibase/atsd-jdbc#7c3ce038685e737a45bef23d0e0d8c3a10235c75 org.apache.calcite:calcite-core@1.13.0 org.apache.calcite:calcite-linq4j@1.13.0 com.google.guava:guava@25.1-android

Overview

com.google.guava:guava is a set of core libraries that includes new collection types (such as multimap and multiset,immutable collections, a graph library, functional types, an in-memory cache and more.

Affected versions of this package are vulnerable to Information Disclosure. The file permissions on the file created by com.google.common.io.Files.createTempDir allows an attacker running a malicious program co-resident on the same machine can steal secrets stored in this directory. This is because by default on unix-like operating systems the /temp directory is shared between all users, so if the correct file permissions aren't set by the directory/file creator, the file becomes readable by all other users on that system.

PoC

File guavaTempDir = com.google.common.io.Files.createTempDir();
System.out.println("Guava Temp Dir: " + guavaTempDir.getName());
runLS(guavaTempDir.getParentFile(), guavaTempDir); // Prints the file permissions -> drwxr-xr-x
File child = new File(guavaTempDir, "guava-child.txt");
child.createNewFile();
runLS(guavaTempDir, child); // Prints the file permissions -> -rw-r--r--

Remediation

Upgrade com.google.guava:guava to version 30.0-android, 30.0-jre or higher.

References